Understanding the Difference: Email Domain vs App Domain Whitelisting
Whitelisting ensures that system emails and platform content are not blocked or filtered by your organisation’s email or network security systems.
There are two types of domain whitelisting used in the Security Awareness Platform:
By Email Domain
Purpose:
These domains are used exclusively to send emails from the Security Awareness Platform. This includes:
- Simulated phishing emails
- System notifications (e.g. training reminders, reports, password resets)
Domains to Whitelist (Email):
- mail.goldphish.com
- mail.emailsupport.me
Why It Matters:
Email gateways and spam filters may block or quarantine these messages if the sending domains are not explicitly trusted. Whitelisting ensures that all system emails land in users' inboxes reliably.
By App Domain
Purpose:
This domain is used to host the Security Awareness Platform itself - it's where admins manage campaigns and learners complete training
Domains to Whitelist:
- app.goldphish.com
Why It Matters:
Some environments with web filtering, SSL inspection, or firewalls may block access to the app or restrict embedded content (e.g. images or training modules loading inside emails). Whitelisting this domain prevents issues accessing the platform or completing training.
Quick Comparison Table
Type |
Domain(s) |
Used For |
Whitelist In |
| Email Domain | mail.goldphish.com mail.emailsupport.me |
Sending simulated phishing & system emails |
Email gateway/spam filter |
| App Domain | app.goldphish.com | Hosting the Security Awareness platform & embedded content |
Web filter/firewall/proxy |
Best Practices
- Always prioritise domain-based whitelisting over IP-based whitelisting unless advised otherwise.
- Refer to our full Whitelisting Technical Information guide for specific setup instructions.
- If using advanced security tools (e.g. Microsoft Defender, Bitdefender), refer to our System-Specific Whitelisting Guides for additional configuration steps.